Bug 2101

Summary: Unaligned memory access on sparc in UMAC implemetation
Product: Portable OpenSSH Reporter: Tomas Kuthan <tomas.kuthan>
Component: sshAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED FIXED    
Severity: normal CC: djm, dtucker, tomas.kuthan
Priority: P5    
Version: 6.0p1   
Hardware: SPARC   
OS: Solaris   
Bug Depends on:    
Bug Blocks: 2076    
Attachments:
Description Flags
Bug fix based on Solaris Studio #pragma
none
Bug fix based on union
none
Bug fix based on Solaris Studio #pragma
none
Bug fix based on malloc none

Description Tomas Kuthan 2013-05-13 21:52:08 AEST 
Created attachment 2264 [details]
Bug fix based on Solaris Studio #pragma

There is an alignment issue in UMAC implementation, which can cause crash in ssh binary on sparc.

Static variable m is defined in mac.c as an array of chars:
168	static u_char m[EVP_MAX_MD_SIZE];

This array is passed to function umac128_final() in ssh/umac.c, and later cast to 64-bit unsigned integer and accessed in pdf_gen_xor():
264    *((UINT64 *)buf) ^= ((UINT64 *)pc->cache)[ndx];

AFAIK, there is no assurance, that a static char array will be double-word aligned. And indeed, when compiled using Solaris Studio 12.1 cc, the variable address (0x909ac) is only word-aligned:
   58588:       37 00 02 42     sethi  %hi(0x90800), %i3
   5858c:       40 00 18 1a     call  5e5f4 <umac_final>
   58590:       92 06 e1 ac     add  %i3, 0x1ac, %o1    ! 909ac <Bbss.bss>

This later causes a crash in:
pdf_gen_xor+0x68: ldx [0x909ac], %o5

I am proposing two alternatives for the fix (please, see attached):
umac_align-pragma.patch - Solaris Studio specific pragma
umac_align-union.patch - generic approach - union for alignment
Comment 1 Tomas Kuthan 2013-05-13 21:53:44 AEST 
Created attachment 2265 [details]
Bug fix based on union
Comment 2 Tomas Kuthan 2013-05-13 21:56:05 AEST 
Created attachment 2266 [details]
Bug fix based on Solaris Studio #pragma
Comment 3 Darren Tucker 2013-05-31 04:58:19 AEST 
Created attachment 2281 [details]
Bug fix based on malloc

Third option: malloc the memory which guarantees that it'll be suitably aligned.
Comment 4 Damien Miller 2013-05-31 07:56:01 AEST 
My vote goes to the union
Comment 5 Darren Tucker 2013-06-03 10:04:02 AEST 
union variant applied and will be in the 6.3 release.  Thanks.
Comment 6 Damien Miller 2016-08-02 10:40:58 AEST 
Close all resolved bugs after 7.3p1 release